Secure encryption method and component using same

ABSTRACT

The protected method of cryptographic computation includes N computation rounds successively performed to produce an output data from an input data and a private key. The method also includes a first masking stage to mask the input data, so that each intermediate data used or produced by a computation round is masked, and a second masking stage to mask data manipulated inside each computation round.

FIELD OF THE INVENTION

[0001] The present invention relates to a component and secured methodfor cryptographic computation with a secret or private key, and moreparticularly, to the protection of such components against physicalattack which are designed to obtain information on the secret or privatekey through the power consumption or the electromagnetic radiation ofthe component when it implements the encryption method.

BACKGROUND OF THE INVENTION

[0002] Components with strictly controlled access to the services and/orto the data typically have an architecture formed around themicroprocessor and a program memory including the secret key. Suchcomponents are used for example in smart cards, especially for bankingapplications, via a control terminal or remote terminal. Such componentsuse one or more secret key encryption or private key encryption methodsto compute an output data from an input data. Such a method is used forexample to encipher, decipher, authenticate or sign an input message orelse verify the signature of the input message.

[0003] To ensure the security of the transactions, the secret key orprivate key encryption methods are constructed in such a way that it isnot possible to determine the secret key used from the knowledge of theinput data and/or the output data of the algorithm. However, thesecurity of a component relies on its capacity to keep the secret keythat it uses concealed, for this key cannot be modified.

[0004] One method frequently used is the DES (Data Encryption Standard)type method. This method can be used for example to give an encipheredmessage MS (or output data) encoded on 64 bits, from a plaintext messageME (or input data) also encoded on 64 bits, and a secret 56-bit key K₀.The main steps of the DES are described in detail with reference toFIG. 1. After an initial permutation IP, the block formed by thepermutated bits of the input data is separated into a left-hand part L₀and a right-hand part R₀.

[0005] After this, 16 rounds of identical operations are performed.During each round of operations, the right-hand part (R₀, . . . , R₁₅)of an intermediate data computed during the previous round of operationsis combined with a derivative key (M₁, . . . , M₁₆) during atransformation called a transformation F. The result of thetransformation F is then added (XOR operation) to the left-hand part(L₀, . . . , L₁₅) of the intermediate data computed during the previousround of operations.

[0006] After the 16^(th) round of operations, the left-hand part L₁₆ andright-hand part R₁₆ of the 16^(th) intermediate data are assembled and afinal permutation IP⁻¹, which is the inverse of the initial permutationIP, terminates the procedure. An i-ranking round of operations includedbetween 1 and 16 is described in detail with reference to FIG. 2. The 56bits of an intermediate key K_(i-1) computed during the previous roundare shifted (operation S_(i)) to give a new updated intermediate keyK_(i), then 48 bits out of 56 are selected by an operation PC ofpermutation/compression to provide a derived key M_(i).M_(i)=PC(K_(i))=PC(S_(i)(K_(i-1))). The association of the steps PC andS_(i) forms a key computation step ET2.

[0007] In parallel, the transformation F is carried out. The right-handpart R_(i-1) of a piece of intermediate data computed during theprevious round is extended to 48 bits by an expansion (operation E),combined with the derived key M by an XOR type operation, replaced by 32new bits by a substitution operation (represented by the operationSBOX), then permutated once again (operation P). In practice, theoperations F, P, E, PC, SBOX are identical for all the rounds. On thecontrary, the operations S₁ to S₁₆ used during the computation of thederived keys K₁ to K₁₆ are different from one round to another.

[0008] All the characteristics of the operations IP, IP⁻¹, P, PC, E,SBOX, S_(i) performed during the implementation of a DES method areknown: the computations made, the parameters used, etc. Thesecharacteristics are, for example, described in detail in the patentapplication WO 00/46953 or in the “Data Encryption Standard, FIPS PUB46”, published on 15^(th) Jan. 1977.

[0009] The security of a component using a secret key or private keyencryption method lies in its capacity to keep the key that it usessecret. To be secure, a component must be capable especially of keepingconcealed the secret key that it uses when it undergoes a DPA(Differential Power Analysis) type analysis. In a DPA analysis, astatistical analysis is made of the consumption of the component, namelythe trace left by the component as a function of time. For this purpose,a sample of about 1,000 measurements of traces is used, each tracecorresponding to input data ME[i=1 to 1000] that are different andindependent with respect to one another. The statistical study validatesone or more assumptions made on the value of the bits of the secret keyused.

[0010] A specific example of the implementation of a DPA type analysison a component using a DES type encryption method is described in detailin WO 00/46953, especially in pages 3, 4 of this publication. The DEStype encryption method is especially vulnerable to the DPA type attacksat the output of the SBOX operators. More generally, an encryptionmethod is vulnerable to a DPA type analysis at any point where thesecret key appears in combination either with the input data or with theoutput data. Thus, in practice, a DES type method is vulnerable toattack at output of all the operators (XOR, P, E, PC, SBOX, etc) of allthe rounds of operations because the secret key is mixed with the inputdata of the first round of operations.

[0011] For example, with the input data ME being known, and makingassumptions on the secret key K₀, it is possible to predict the value ofat least one bit of the intermediate data element (L₁, R₁) given atoutput of the first round of operations. The prediction is verified,then the assumption made on the secret key is verified.

[0012] To be secure, a component must also be capable of keeping thesecret key that it uses concealed, when it undergoes an SPA typeanalysis (Simple Power Analysis). In an SPA analysis, the component ismade to execute the encryption method that it uses several times byapplying the same input data ME to it, and, for each execution of themethod, the trace left by this execution is measured as a function oftime. The trace represents, for example, the power consumption of thecomponent or the electromagnetic energy radiated as a function of time.The set of measurements is then averaged to filter the noise from themeasurement and obtain the real trace of the circuit for a fixed inputdata ME. For example, a set of 10 to 1000 identical measurements may beenough to filter the noise from the measurement and obtain the realtrace of the component for a fixed input data ME. After filtering, thedifferent steps of the DES method can be seen clearly on the real traceof the component: initial permutation IP, 16 rounds of operations andthen final permutation IP-1.

[0013] A DES type method is sensitive to SPA type analysIs especially atthe points where the secret key appears, in its initial form K₀ or inanother form (intermediate keys K₁, . . . , K₁₆, derived keys M₁, . . ., M₁₆). Indeed, by an SPA type analysis it is possible, for each round iof operations, to determine an image of the derived key M_(i). Forexample, it is possible to identify the time interval during which thederived key M_(i) is transferred before the execution of the XORoperation. Since all the derived keys M₁ to M₁₆ are obtained from thesecret key K₀ by known operations, a knowledge of simple images of thederived keys gives a information on the secret key K₀.

[0014] In general, all the encryption methods are more or less sensitiveto DPA type attacks, especially at the places where there appears apredictable intermediate result that is a combination of the input data(or a data derived from the input data) and of the secret or private key(or of a key obtained from the secret or private key) or else that is acombination of the output data (or a data derived from the input data)and of the secret key (or of a key obtained from the secret key). Anintermediate result of this kind is indeed predictable, from the inputdata and/or from the output data and from assumptions on the key used,because the encryption methods used (the operators used, the order ofuse of these operators, etc) are known. A DPA attack then givesinformation on the key used by validating the assumptions made.

[0015] In practice, all the methods are sensitive at output of all theoperators of all their steps (or sub-steps) using the input data (or adata derived from the input data), once the input data has been mixedwith the secret key for a first time. In the same way, all the methodsare also sensitive at output of all the operators giving a result thatdepends on the output data and on the secret or private key, and this isthe case once the input data has been mixed for a first time with asecret or private key.

[0016] In the same way, all the encryption methods using secret keys aremore or less sensitive to SPA type analysis. Their sensitivity isespecially great at places where the key appears alone, in its initialform or during a step known as a critical step, during which the secretkey is used either directly or in a derived form obtained by a known lawof derived key scheduling. A critical step of this kind is for examplean intermediate or derived key scheduling step in which the key iscomputed from a secret or private key or else from a previously computedintermediate key.

SUMMARY OF THE INVENTION

[0017] It is an object of the invention to implement a secured method ofcryptographic computation with secret or private key that is made immuneto any physical attack of the DPA type, namely a secured method ofcryptographic computation whose trace, during the implementation of themethod, gives no information on the key that it uses, whatever the inputdata used by the method, whatever the number of uses of the method, andeven if a statistical study of the trace is made.

[0018] Another object of the invention is to implement a secured methodof cryptographic computation with secret or private key that is alsoprotected against any SPA type attack.

[0019] With these goals in view, the invention relates to a protectedmethod of cryptographic computation, the method comprising N computationrounds successively performed to produce an output data from an inputdata and a secret key. According to the invention, the method alsocomprises a first masking stage to mask the input data, so that eachintermediate data used or produced by a computation round is masked, anda second masking stage to mask data manipulated inside each computationround.

[0020] The invention also relates to an electronic component using amethod of the kind described here above and here below detailed. Theword “masked” (or “mixed”) should be understood here and in the rest ofthe document in the following sense: in a method according to theinvention, a data, a result, an operand are said to be masked if theyhave a different value during two executions of the method, especiallyduring two executions of the method using the same input data and thesame secret or private key.

[0021] Thus, with the invention, the data given by a computation roundis masked because the input data is masked before the computation round(first masking stage). The data given by a computation round istherefore different at each execution of the method, even if the inputdata and the secret key used are identical.

[0022] Furthermore, the second masking stage used in a method accordingto the invention enables the masking of all data manipulated inside acomputation round. Thus, the two masking stages used in the inventionenable the masking of each data manipulated during the method, inside oroutside the computation rounds. A statistical study of the consumption(or the electromagnetic radiation) of the component using a methodaccording to the invention is therefore bound to fail: it cannot be usedto obtain information on the secret key used since the power consumptionof the component is decorrelated from the value of the key used.

[0023] To perform the first masking stage, the following steps arepreferably performed: a first masking step ET01 carried out before thefirst computation round (round 1), to mask the input data, and a firstunmasking step ET10 applied after the N^(th) computation round (roundN), to give the non-masked output data.

[0024] To perform the second masking stage, the following steps arepreferably performed, in a i-ranking computation round of the method: asecond masking step ET3 to mask a result of a previous step of thei-ranking computation round; a substitution step ET6 to substitute themasked result by using a masked, non linear operator SBOX′; and a secondunmasking step ET9 to unmask the result of the step ET6.

[0025] During the first masking step ET01, a first masking parameter ismixed with the input data ME to give a masked input data at the firstcomputation round, the mixing being done through the use of a firstlinear mixing operator. To provide the method with maximum security, thefirst masking parameter is preferably chosen randomly at eachimplementation of the method during the masking step. The first maskingparameter can also be chosen randomly only at intervals corresponding toevery M cases of implementation of the method. In this case, the samemasking parameter is used for the M following cases of implementation.

[0026] The first masking step thus makes it possible, by mixing the datainput with a random parameter, to eliminate every correlation betweenthe input data ME and dataan intermediate data obtained from the inputdata ME and used or produced by a computation round. During the firstunmasking step, at the end of the method, the contribution made by thefirst masking parameter to the result of the N-th computation round issubtracted from the result of the N-th computation round. The unmaskingstep thus makes it possible, at the end of the method, to retrieve theexpected output data. In particular, if the method is performed twicewith the same input data and the same secret key, then the output dataMS obtained is the same in both cases. On the other hand, theintermediate data are different.

[0027] For the implementation of the second masking stage, the methodalso preferably comprises a third masking step ET03, carried out beforethe first computation round, to produce the masked non linear operatorSBOX′ verifying the following relation, for each data A:

SBOX′(A@X ₃)=SBOX(A)#X ₂,

[0028] where

[0029] X₂ is a second masking parameter,

[0030] X₃ is a third masking parameter,

[0031] SBOX is a known non linear operator,

[0032] “#” is a second mixing operator and

[0033] “@” is a third mixing operator.

[0034] Preferably, at least one of the masking parameters used israndomly chosen at each implementation of the method, to obtain themaximum security.

[0035] According to another embodiment, one of the masking parametersmay be randomly chosen every M instances of implementation of themethod. Preferably also, the mixing operators are linear. As an example,the XOR operator may be chosen for one of the mixing operators.

[0036] If the method according to the invention comprises a derived keyscheduling step to give a derived key from the secret key according to aknown key scheduling law, then the method is advantageously complementedby the addition of a fourth masking step, performed before the derivedkey scheduling step, to mask the secret key so that the scheduledderived key is different at each implementation of the method.

[0037] Thus, the derived key or keys and/or the intermediate scheduledkey or keys are all masked by the addition of a random parameter so thatan analysis if the power consumption of the component, of the SPA typefor example, cannot provide any information on the secret key used.According to an embodiment, during the fourth masking step, a randomlychosen masking parameter is mixed with the secret key via a fourthmasking operator, to give a masked secret key, the masked derived keybeing computed from the masked secret key.

BRIEF DESCRIPTION OF THE DRAWINGS

[0038] The invention will be understood more clearly and other featuresand advantages of the invention shall appear from the followingdescription of exemplary forms of implementation of protected methods ofcryptographic computation according to the invention. The descriptionwill be made with reference to the appended drawings, of which:

[0039]FIG. 1, already described, is a flowchart illustrating a DES typeknown encryption method using a secret key;

[0040]FIG. 2 already described is a schematic drawing detailing a stepof the method of FIG. 1;

[0041]FIGS. 3a, 3 b are schematic drawings illustrating the methodsecured according to the invention;

[0042]FIG. 4 is a schematic diagram of another embodiment of the methodof FIGS. 3a, 3 b.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0043]FIGS. 3a, 3 b show how the DES method of the FIGS. 1, 2 is securedwith the invention. To simplify, only the first computation round andthe i-ranking computation round have been represented FIGS. 3a, 3 b withthe characteristic steps of the invention. i is an integer comprisedbetween 1 and 16. As previously explained, a DES method computes anoutput data from a secret key K₀ and from an input data ME; the DESmethod comprises 16 computation rounds, preceded by an initialpermutation IP (FIG. 3a) and followed by a final permutation IP⁻¹ (FIG.3b), inverse of the initial permutation. Each computation roundcomprises (FIG. 2) a derived key scheduling ET1, a transformation stepF′ and a combination step ET8 with an XOR operator.

[0044] The DES method is secured according to the invention by theaddition of two masking stages. The first masking stage comprises amasking step ET01 (FIG. 3a) and an unmasking step ET10 (FIG. 3b). Thesecond masking stage is performed at each computation round, itcomprises a masking step ET3, a substitution step ET6 by a masked nonlinear operator SBOX′ and a unmasking step ET9.

[0045] In the example of FIGS. 3a, 3 b, the method comprises aninitialization step ET0 comprising fourth sub steps ET00 to ET03. Theobject of the initialization step is to perform the first masking stage(step ET01: masking of the input data ME) and to prepare the secondmasking stage (by computation of the non linear operator SBOX′). Thesecond masking stage is then perform at each computation round. Duringthe step ET00, three masking parameters X₁, X₂, X₃ are chosen randomly.They are modified for example at each implementation of the method. Theymay also be modified only each M instances of implementation of themethod.

[0046] During the step ET01, the left-hand and right-hand parts of theinput data are separated and then masked by the parameter X₁, to thusgive a masked left-hand part L′₀=L₀ & X₁ and a masked right-hand partR′₀=R₀ & X₁. The masking is done via the first masking operator “&”. Theoperator “&” is chosen to be linear with respect to the two variablesthat it mixes. In one embodiment, the operator “&” is an XOR operator.The operator “&” may also be any type of linear operator. In general,the operator “&” has the following properties, whatever the data A, B,C:

[0047] “&” has parity 2: it takes two arguments as parameters;

[0048] “&” verifies: E(A&B))=E(A)&E(B), E being a linear operator;

[0049] “&” verifies (A⊕B)&C=A⊕(B&C), ⊕ being the XOR operator.

[0050] There is an operator “&⁻¹”, the inverse of “&”, such that:(A&B)&⁻¹A=B,; as the case may be “&” and “&⁻¹” may be identical.

[0051] During the step ET02, variables VX1=E(X₁), VX2=P(X₂) arecomputed. The operators E, P are respectively an expansion, and a simplepermutation, as defined in the known DES type method. During the stepET03, a new non-linear operator SBOX′ is computed by the relationship:

SBOX′=FCT(SBOX, X ₂ , X ₃)

[0052] where SBOX is the non-linear operator used in a known DES method,X₂, X₃ are the random parameters, and FCT is a function such that:

[0053] SBOX′[A@X₃]=SBOX[A]#X₂, for any value of A.

[0054] “@”, “#” are linear mixing operators having properties similar tothose of the operator “&”.

[0055] “& ”, “#” may be different from each other, and they may also bedifferent from the operator “&”.

[0056] The first round of operations is then carried out; it can besub-divided into nine steps ET1 to ET9. During the key-scheduling stepET1, a derived key M₁ is computed from the secret key K₀. The firstupdated derived key M₁ is given by the relationship:M₁=PC(S₁(K₀))=PC(K₁). K₁ is a first updated intermediate key, which willbe given thereafter at the second round of operations (not shown inFIGS. 4a, 4 b). The operators PC, S₁ are respectively apermutation-compression and a bit-shifting operation as defined in thecase of a known DES method. The step ET1 is thus identical to akey-scheduling step as defined in the context of a known DES method.

[0057] The following steps ET2 to ET8 form a transformation step F′,that corresponds to the transformation F of a prior art method, modifiedby the addition of the steps ET3, ET4 and the replacement of theoperator SBOX by the new operator SBOX′ according to the invention.During the step ET2, an expansion is made on the data R′₀. The resultE(R′₀) of this operation is then mixed with the parameter X₃ by means ofthe second masking operator “@”.

[0058] The next step ET4 is a first unmasking step designed to remove,from the result of the previous operation, the contribution to thisresult made by the masking parameter X₁. To this end, the followingoperation is carried out:

[E(R′ ₀)@X ₃]&⁻¹ VX ₁ =[E(R′ ₀)@X ₃]&⁻¹ E(X ₁)==E(R ₀)&E(X ₁)@X ₃&⁻¹ E(X₁)=E(R ₀)@X ₃

[0059] During the next step ET5, the result of the previous step ET4 ismixed with the updated derived key M₁ by an XOR operation. The step ET5thus gives the result: E(R₀)@X₃⊕M₁=E(R₀)⊕M₁@X₃.

[0060] During the step ET6, the non-linear operation SBOX′ is performedon the result of the previous operation. The step ET6 gives the result:

SBOX′[E(R ₀)⊕M ₁ @X ₃ ]=SBOX[E(R ₀)⊕M ₁ ]#X ₂.

[0061] This results from the definition of the non-linear operatorSBOX′.

[0062] A bit-permutation operation P is then applied to this result(step ET7). We thus obtain:

F′(R′ ₀)=P[SBOX[E(R ₀)⊕M ₁ ]#X ₂ ]=P[SBOX[E(R ₀)⊕M ₁ ]]#P(X ₂).

[0063] This result is deduced simply from the linearity of the operatorP.

[0064] During the step ET8, the result of the permutation P is thenadded (by means of an XOR operation) to the data L′₀ computed during thestep ET01. The step ET8 is similar to the corresponding step of a knownDES method. We then obtain:

P[SBOX[E(R ₀)⊕M ₁ ]]#P(X ₂)⊕L′ ₀ =[P(SBOX[E(R ₀)⊕M ₁])#P(X ₂)]⊕L ₀&X ₁=[P[SBOX[E(R ₀)⊕M ₁ ]]⊕L ₀]&X ₁ #P(X ₂)=R ₁&X ₁ #P(X ₂)

[0065] where R₁ is the right-hand part of the first intermediate data(L₁, R₁) as defined in the context of the known DES type method. Heretoo, all the above inequalities are deduced from the fact of thelinearity of the operators P, &, #.

[0066] The following step ET9 is a second unmasking step that seeks toremove, from the result of the previous operation, the contribution tothis result made by the masking parameter X₂. To this end, the followingoperation is carried out:

[R ₁&X ₁ #P(X ₂)]#⁻¹ VX ₂ =[R ₁&X ₁ #P(X ₂)]#⁻¹ P(X ₂)=R ₁&X ₁

[0067] At the end of the first round, the updated, intermediate dataprovided is equal to (L′₁, R′₁), with:

L′ ₁ =R′ ₀ =R ₀&X ₁ =L ₁&X ₁, and R′ ₁ =R ₁&X ₁.

[0068] Thus, with the DES method according to the invention, theintermediate data (L′₁, R′₁) computed during the first round ofoperations is equal to the intermediate data (L₁, R₁) given by anunsecured, known DES type method, masked by the random parameter X₁ bymeans of the operator “&”. The second round is then performed, in usingthe new updated intermediate data (L′₁, R′₁) as well as the updatedintermediate key K₁ computed during the step ET1.

[0069] In general, the i^(th) round of operations of the method can besub-divided into nine steps ET1 to ET9. During the step ET1, a derivedkey M₁ is computed from an intermediate key K_(i-1), computed during thepreceding round, to give an updated derived keyM_(i-1)=PC(Si(K_(i-1)))=PC(K_(i)). K_(i) is a first updated intermediatekey, which will be given thereafter at the next round of operations (notshown in FIGS. 4a, 4 b). The operators PC, S_(i) are respectively apermutation-compression and a bit-shifting operation as defined in thecase of a known DES method.

[0070] During the step ET2, the expansion is made on the data R′_(i-1).The result E(R′_(i-1)) of this operation is then mixed with theparameter X₃ by means of the second masking operator “@”.

[0071] During the next step ET4, the following operation is carried out:

[E(R′ _(i-1))@X ₃]&⁻¹ VX ₁ =[E(R′ _(i-1))@X ₃]&⁻¹ E(X ₁)=E(R _(i-1))&E(X₁)@X ₃&⁻¹ E(X ₁)=E(R _(i-1))@X ₃

[0072] During the next step ET5, the result of the step ET4 is mixedwith the updated derived key M_(i) by an XOR operation. The step ET5thus gives the result:

E(R _(i-1))@X ₃ ⊕M _(i) =E(R _(i-1))⊕M _(i) @X ₃.

[0073] During the step ET6, the non-linear operation SBOX′ is performedon the result of the previous operation. The step ET6 gives the result:

SBOX′[E(R _(i-1))⊕M _(i) @X ₃ ]=SBOX[E(R _(i-1))⊕M _(i) ]#X ₂.

[0074] This results from the very definition of the non-linear operatorSBOX′.

[0075] A bit-permutation operation P is then applied to this result(step ET7). We thus obtain:

P[SBOX[E(R _(i-1))⊕M _(i) ]#X ₂ ]=P[SBOX[E(R _(i-1))⊕M _(i) ]]#P(X ₂).

[0076] During the step ET8, the result of the permutation P is thenadded (by means of an XOR operation) to the data L′_(i-1) computedduring the previous round. We then obtain:

P[SBOX[E(R _(i-1))⊕M _(i) ]]#P(X ₂)⊕L′ _(i-1) =[P(SBOX[E(R _(i-1))⊕M_(i)])#P(X ₂)]⊕L _(i-1)&X ₁ =[P[SBOX[E(R _(i-1))⊕M _(i) ]]⊕L _(i-1)]&X ₁#P(X ₂)=R _(i)&X ₁ #P(X ₂)

[0077] where R_(i) is the right-hand part of the i^(th) updated data(L_(i), R_(i)) as defined in the context of the known DES type method.Here too, all the above equalities are deduced from the fact of thelinearity of the operators P, &, #.

[0078] The following step ET9 is a second unmasking step that seeks toremove, from the result of the previous operation, the contribution tothis result made by the masking parameter X₂. To this end, the followingoperation is performed:

[R _(i-1)&X ₁ #P(X ₂)]#⁻¹ VX ₂ =[R _(i-1)&X ₁ #P(X ₂)]#P(X ₂)=R _(i-1)&X₁

[0079] At the end of the i^(th) round, the updated, intermediate dataprovided is equal to (L′_(i), R′_(i)), with:

L′ _(i) =R′ _(i-1) =R _(i-1)&X ₁ =L _(i)&X ₁, and R′_(i)=R_(i)&X₁.

[0080] Thus, with the DES method according to the invention, theintermediate data (L′_(i), R′_(i)) computed during the i^(th) round ofoperations is equal to the intermediate data (L_(i), R_(i)) given duringthe same round by a non-secured, known DES method but masked by therandom parameter X₁ by means of the operator “&”.

[0081] The new intermediate data (L′_(i), R′_(i)) is then given at thenext round. The 16^(th) round of the method gives the 16^(th)intermediate data (L′₁₆, R′₁₆). During a third and final unmasking stepET10, the contribution of the parameter X₁ to the 16^(th) data isremoved by means of the operator &⁻¹: L₁₆=L′₁₆&⁻¹X₁, R₁₆=R′₁₆&⁻¹X₁.

[0082] The final permutation IP⁻¹, carried out after the step ET10,terminates the DES method according to the invention. The permutationIP⁻¹ is identical to the equivalent permutation of a known type of DESmethod.

[0083] With the DES method according to the invention, the output dataproduced is the same as the one given by a known DES method, inasmuch asthe input data element ME and the secret key K₀ are identical for theknown method and the method according to the invention.

[0084] On the other hand, with a method according to the invention (FIG.3) and contrary to a known DES method (FIGS. 1, 2): the intermediatedata of type (L′_(i), R′_(i)) are all masked with the parameter X₁(first masking stage); and the data (L′_(i), R′_(i)) are used orproduced by the computation round. All the intermediate results producedby an operation of the P, PC, E, S_(i), SBOX′, XOR ⊕ or other type) aremasked by at least one of the parameters X₁, X₂ or X₃ or by a valuederived from these parameters (E(X₁), P(X₂), etc.); the second maskingstage is thus correctly implemented.

[0085] Since X₁, X₂ or X₃ are chosen randomly at each implementation ofthe method, the value of all the intermediate results and of all theintermediate data is different at each implementation of the method,whatever the value of the input data (L₀, R₀) or the value of the secretkey K₀ used by the method of the invention. In particular, the value ofall the intermediate results is different, including in the case wherethe method is implemented twice with the same input data ME and the samesecret key K₀.

[0086] The presence of at least one random parameter suppress anycorrelation, at the level of an intermediate result or an intermediatedata, between the secret key K₀ and the input data ME. A DPA typestatistical analysis therefore does not enable to obtain information onthe secret key used by a secured method according to the invention.

[0087] Modifications and/or improvements in the method of FIGS. 3a, 3 bare possible, without departing from the framework of the invention. Forexample, the order in which certain steps of the method are carried outmay be modified: The steps IP, ET01, round 1, . . . , round i, . . . ,round 16, ET10, IP⁻¹ must be executed in the order presented in FIGS.4a, 4 b if the desired method is has to be similar to that of FIGS. 1,2.

[0088] The step ET00 must be performed before the step ET01. The stepET00 may be performed before or in parallel with the step IP. The stepET02 is performed between the step ET00 and the step ET4 of the firstround of operations; it may be performed before or in parallel with thestep IP, the step ET01 and the steps ET1 or ET2. The step ET03 isperformed between the step ET00 and the step ET6 of the first round ofoperations; it may be performed before or after the step ET01, the stepsET1, ET2, ET3 or ET4. For reasons of symmetry, the step ET10 will becarried out after the step IP⁻¹ if the step ET01 is performed before thestep IP. Conversely, the step ET10 will be performed before the stepIP⁻¹ if the step ET01 is performed after the step IP. In each round i,the step ET1 must be carried out so that the derived key M_(i) that itgives is available for the performance of the step ET5; the step ET1 mayfor example be carried out in parallel with the steps ET2, ET3 or ET4.

[0089] In the example described here above with reference to FIGS. 3a, 3b, three random parameters X₁, X₂, X₃ are used. This approach masks allthe intermediate results in the most efficient way possible. In anotherexample, it is possible to use only two parameters, the parameters X₁,X₂. In this case, the step ET02 is limited to the computation of P(X₂),the steps ET3, ET4 of all the rounds of operations are eliminated, andthe step ET03 is modified to compute a new non-linear operator SBOX″ bythe relationship:

SBOX″=FCT″(SBOX, X ₁ , X ₂),

[0090] with FCT″ being a function such that:

SBOX″(A&E(X ₁))=SBOX(A)#X ₂.

[0091] Here too, all the intermediate results are masked by a randomparameter that is modified at each implementation of the method. Inparticular, in the i-ranking round, at output of the step ET2, theintermediate parameter E(R′₀)=E(R₀)&E(X₁) is masked by the derivedparameter E(X₁). In the same way, at output of the step ET5, theintermediate result E(R′₀)⊕M_(i) is masked by the derived parameterE(X₁). At output of the step ET6, the intermediate result is masked asin the previous example by the parameter X₂.

[0092] Similarly, in the example described here above with reference toFIGS. 3a, 3 b, the three parameters X₁, X₂, X₃ are chosen randomly, ateach implementation of the method. However, the parameters X₁, X_(2,) X₃can be modified more or less frequently. For example, it is possible tomodify the parameters, especially X₂ and/or X₃ at each performance of around i of operations. In this case, the steps ET02, ET03 will beperformed at each round to take account of the modified parameters X₂,X₃.

[0093] In the same spirit, the parameters X₁, X_(2,) X₃ can be modifiedevery M cases of implementation of the method, if it is estimated that Mperformances are not sufficient to carry out a DPA type attack. M is aninteger. In this case, only the step ET01 is performed during the stepET0. The steps ET00, ET02, ET03 are performed only at intervals of everyM cases of implementation of the method.

[0094] In another major improvement, the method is secured also againstSPA type analysis. For this type of analysis, the derived key schedulingsteps M_(i) are particularly vulnerable. The improvement thereforeconsists in masking the derived keys, in addition to the intermediateresults.

[0095] The method of FIGS. 3a, 3 b is therefore improved by the addition(see FIG. 4): of the sub-steps ET05, ET06 in the initialization stepET0, the steps ET11, ET12 in each of the 16 rounds of operations of themethod. With a view to clarity and simplification, only the i^(th) roundof the method has been shown in FIG. 4, accompanied by new steps ET05,ET06.

[0096] During the step ET05, a fourth parameter Y₀ is chosen randomly.The step ET05 is for example carried out simultaneously with the stepET00, or else in parallel with one of the steps IP, ET01, ET02, ET03.During the masking step ET06, performed after the step ET05, the fourthmasking parameter Y₀ is mixed with the secret key K₀, to give a maskedsecret key K′₀. The mixing is done by the following relationship:

K′ ₀ =K ₀ |Y ₀.

[0097] The operator “|” is chosen to be linear with respect to the twovariables that it mixes. In one embodiment, the operator “|” is an XORoperator. The operator “|” may also be any type of linear operator. Ingeneral, the operator “|” has properties similar to those of theoperators “&”, “@” or “#”.

[0098] The first round of operations (not shown in FIG. 4) is thenperformed. The key scheduling step ET1 is achieved here no longerdirectly from the secret key K₀, but from the masked secret key K′₀. Thestep ET1 gives a masked derived key M′₁ according to the relationship:

M′ ₁ =PC(S ₁(K′ ₀))=PC(S ₁(K ₀ |Y ₀))=PC(S ₁(K ₀))|PC(S ₁(Y ₀)).

[0099] The last equality is deduced simply from the fact that theoperators PC, S₁ et “|” are linear operators and therefore haveespecially switching or associative type properties. SincePC(S₁(K₀))=M₁, it is finally deduced therefrom that M′₁=M₁|PC(S₁(Y₀), M₁being the scheduled derived key computed according to the DESmethodcribed with reference to FIGS. 3a, 3 b.

[0100] The difference computation step ET11 is performed, for example,before, in parallel or after the key scheduling step ET1. The step ET11determines the contribution C_(i) given by the parameter Y₀ to themasked derived key M′_(i). The step ET11 is similar to the step ET1; thestep ET11 thus comprises an operation S_(i) to give a masking parameterY₁=S₁(Y₀) updated by the shifting of the bits of the parameter Y₀, andan operation PC to compute the contribution C_(i). The contribution C₁is thus computed according to the relationship: C₁=PC(S₁(Y₀)). FinallyM′₁=M₁|C₁ is deduced therefrom. The updated masking parameter Y₁ for itspart is given at the next round of operations.

[0101] The unmasking step ET12 is a sub-step of the transformation stepF″ (which corresponds to the transformation F′ of the DES methodaccording to FIGS. 4a, 4 b modified by the addition of the step ET12);the step ET12 is carried out between the step ET5 and the step ET6. Thestep ET12 seeks to remove the contribution C₁ given by the updatedmasking parameter Y₁. For this purpose, the operator “|⁻¹”, which is theinverse of the operator “|”, is used. At output of the step ET12, wehave:

(E(R ₀)@X ₃ ⊕M′ ₁|⁻¹ C ₁ =E(R ₀)@X ₃ ⊕M ₁ |C ₁|⁻¹ C ₁ =E(R ₀)@X ₃ ⊕M ₁

[0102] Thus, after the removal of the contribution C₁, the variable thatappears at the input of the SBOX′ type operator (step ET6) is equal toE(R₀)@X₃⊕M₁, i.e. it is identical to the variable that appears at theinput of the operator SBOX′ of the DES method described with referenceto FIGS. 3a, 3 b. Consequently, the output data that appears at outputof the transformation F″ is identical to the one that appears at outputof the transformation F′ of the method of FIGS. 3a, 3 b.

[0103] More generally, during the i^(th) round of operations, the stepET1 gives a masked, derived key M′_(i) according to the relationship:

M′ _(i) =PC(S _(i)(K′ _(i-1)))=PC(S _(i)(K _(i-1) |Y _(i-1)))=PC(S_(i)(K _(i-1)))|PC(S _(i)(Y _(i-1)))=M′ _(i) =M _(i) |PC(S _(i)(Y_(i-i)),

[0104] M_(i) being the derived key computed according to the DES methoddescribed with reference to FIGS. 3a, 3 b. It may be recalled that theoperators PC are identical for all the rounds of the method (the samecharacteristics, same parameters, etc.). On the contrary, thebit-shifting operations S_(i) are different from one round of operationsto another.

[0105] The step ET11 determines the contribution C_(i) made by theparameter Y_(i-1) (or more generally Y₀) to the masked derived keyM′_(i). The step ET11 gives an updated masking parameterY_(i)=S_(i)(Y_(i-1)), and an updated contribution C_(i) according to therelationship: C_(i)=PC(S_(i)(Y_(i-1))). It is finally deduced from thisthat M′_(i)=M_(i)|C_(i). The updated masking parameter Y_(i) for itspart is given at the next round of operations.

[0106] The step ET12 is performed between the step ET5 and the step ET6.At output of the step ET12, we have:

(E(R _(i-1))@X ₃ ⊕M′ _(i)|⁻¹ C _(i) =E(R _(i-1))@X ₃ ⊕M _(i) |C _(i)|⁻¹C _(i) =E(R _(i-1))@X ₃ ⊕M _(i)

[0107] Thus, after elimination of the contribution C_(i), the variablethat appears at the input of the SBOX′ type operator (step ET6) is equalto PE(R_(i-1))@X₃+M_(i), i.e. it is identical to the variable thatappears at the input of the operator SBOX′ of the DES methodcribed withreference to FIGS. 4a, 4 b. The output data that appears at output ofthe transformation step F′ is therefore identical to the one thatappears at output of the transformation operation F′ of the method ofFIGS. 3a, 3 b.

[0108] Finally, with the method of FIG. 5, all the intermediate resultsare masked by at least one of the parameters X₁, X₂, X₃ (or a derivedform of these parameters). Furthermore, all the intermediate keysK′_(i), all the derived keys M′_(i), are also masked by the parameter Y₀or a derived form of Y₀.

That which is claimed is:
 1. A protected method of cryptographiccomputation, the method comprising N computation rounds successivelyperformed to produce an output data from an input data and a secretkey,wherein the method also comprises: a first masking stage to mask theinput data (ME), so that each intermediate data used or produced by acomputation round is masked, and a second masking stage to mask datamanipulated inside each computation round.
 2. A method according toclaim 1, wherein it comprises : a first masking step (ET01) carried outbefore the first computation round (round 1), to mask the input data(ME), and a first unmasking step (ET10) applied after the N^(th)computation round (round N), to give the non-masked output data (MS),the steps ET01 and ET10 forming the first masking stage, and wherein ai-ranking computation round (round i) of the method comprises thefollowing steps, for i varying from 1 to N: a second masking step ET3 tomask a result of a previous step of the i-ranking computation round, asubstitution step ET6 to substitute the masked result by using a masked,non linear operator SBOX′, a second unmasking step ET9 to unmask theresult of the step ET6, the steps ET3, ST6 and ST9 forming the secondmasking stage.
 3. A method according to the claim 2, wherein: during thefirst masking step (ET01), a first masking parameter (X₁) is mixed withthe input data (ME) to give a masked input data (ME′; L′₀, R′₀) at thefirst computation round, the mixing being done by the use of a firstlinear mixing operator (“&”). during the first unmasking step (ET10),the contribution made by the first masking parameter (X₁) to the resultof the N-th computation round is subtracted from the result of the N-thcomputation round.
 4. A method according to one of the claims 2 or 3,wherein it also comprises: a third masking step (ET03), carried outbefore the first computation round, to produce the masked non linearoperator SBOX′ verifying the following relation, for each data A:SBOX′(A@X ₃)=SBOX(A)#X ₂, where X₂ is a second masking parameter, X₃ isa third masking parameter, SBOX is a known non linear operator, “#” is asecond mixing operator and “@” is a third mixing operator
 5. A methodaccording to claim 4, wherein, during the step ET9 of the i-rankingcomputation round, the contribution made by the second masking parameter(X₂) to the result of masked non linear operator SBOX′ is subtractedfrom the result produced by the masked non linear operator SBOX′.
 6. Amethod according to one of the claims 2 to 5, wherein the i-rankingcomputation round comprises the following steps, executed in thefollowing order: ET2: the expansion of the right-hand part (R′_(i-1)) ofa masked intermediate data previously computed by a precedingcomputation round, ET3: the masking of the result of the preceding stepET2 by the third masking parameter (X₃) in using the third maskingoperator (“@”), ET4: the removal of the contribution made by the firstmasking parameter from the result of the previous step ET3, ET5 themixing of the result of the previous step with an updated, derived key(M_(i)), ET6: the substitution of the result of the previous step ET5 bythe masked, non-linear operator SBOX′ and the supply of a result that ismasked by the second masking parameter (X₂), ET7: the permutation of theresult of the previous step ET6, ET8: the addition, by means of an XORoperation, of the left-hand part (L′_(i-1)) of the previously computedintermediate data to the result of the previous step ET7, ET9: theremoval of the contribution made by the second masking parameter to theresult of the previous step ET8, to give a right-hand part (R′_(i)) ofthe updated intermediate data (L′_(i), R′_(i)), of which a left-handpart (L′_(i)) is equal to the right-hand part of the previously computedintermediate data (L′_(i-1), R′_(i-1)).
 7. A method according to one ofthe claims 2 to 6, wherein at least one of the masking parameters (X₁,X₂, X₃) is chosen randomly at each implementation of the method.
 8. Amethod according to one of the claims 2 to 6, wherein at least one ofthe masking parameters (X₁, X₂, X₃) is chosen randomly every M instancesof implementation of the method.
 9. A method according to the claims 2to 8, wherein the first mixing operator (“&”) and/or the second mixingoperator (“#”) and/or the third mixing operator (“@”) is a XOR operator.10. A method according to one of the claims 2 to 9, comprising a derivedkey scheduling step (ET1) to give an updated derived key from the secretkey (K₀) according to a known key scheduling law, wherein the methodalso comprises a fourth masking step (ET06), performed before thederived key scheduling step (ET1), to mask the secret key (K₀) by amixing parameter (Y₀) so that the scheduled derived key (M′₁, M′_(i)) isdifferent at each implementation of the method.
 11. A method accordingto claim 10, comprising N derived key scheduling steps (ET1) executedsuccessively, the i-ranking derived key scheduling step giving a masked,updated derived key (M′_(i)) at the same i-ranking computation round(round i) and giving an updated masked secret key (K′_(i)) from apreviously computed masked secret key (K′_(i-1)), wherein the i-rankingcomputation round comprises especially the following steps ET5 and ET12,performed between the step ET3 and the step ET6: ET5: mixing of a resultwith the updated masked derived key (M′_(i)) of rank i, ET12: removal ofthe contribution (C_(i)) made by the mixing parameter (Y₀) from theresult of the step ET5.
 12. A method according to the claim 11, whereinthe fourth masking step (ET06) is performed before the first derived keyscheduling step.
 13. A method according to the claim 11 wherein thefourth masking step (ET06) is performed before each derived keyscheduling step (ET1).
 14. A method according to one of the claims 10 to13 wherein, during the fourth masking step (ET06), a randomly chosenmasking parameter (Y₀) is mixed with the secret key (K₀) by means of afourth masking operator (“|”), to give a masked secret key (K′₀), themasked derived key (M′₁, M′_(i)) being computed from the masked secretkey (K′₀).
 15. A method according to the claim 14 wherein, during thefourth masking step (ET06), the following operation is performed: K′ ₀=K ₀ |Y ₀, K′₀ being the masked secret key, K₀ being the secret key, Y₀being the fourth masking parameter, “|” being the fourth mixingoperator.
 16. A method according to one of the claims 14 to 15, whereinthe fourth mixing operator (“|”) is an XOR operator.
 17. An electroniccomponent, comprising a cryptographic computation method according toone of the claims 1 to 16.